[37150] in Kerberos
Re: kerberos ticket cache
daemon@ATHENA.MIT.EDU (Simo Sorce)
Fri Jul 10 10:06:35 2015
Message-ID: <1436537172.4097.84.camel@willson.usersys.redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Tom Yu <tlyu@mit.edu>
Date: Fri, 10 Jul 2015 10:06:12 -0400
In-Reply-To: <ldv7fq8yvaj.fsf@sarnath.mit.edu>
Mime-Version: 1.0
Cc: Andrew Levin <amlevin@mit.edu>, "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, 2015-07-10 at 09:52 -0400, Tom Yu wrote:
> Andrew Levin <amlevin@mit.edu> writes:
>
> > I have noticed that even after I delete my kerberos ticket cache, as below, I remain authenticated (eg I can open files in an area where kerberos authentication is required). How is this possible?
> >
> > [anlevin@lxplus0055 ~]$ klist
> > Ticket cache: FILE:/tmp/krb5cc_13535_4nn0mf
> > Default principal: anlevin@CERN.CH
> >
> > Valid starting Expires Service principal
> > 07/10/15 09:54:58 07/11/15 10:54:58 krbtgt/CERN.CH@CERN.CH
> > renew until 07/15/15 09:54:58
> > 07/10/15 09:54:59 07/11/15 10:54:58 afs/cern.ch@CERN.CH
> > renew until 07/15/15 09:54:58
> > [anlevin@lxplus0055 ~]$ rm /tmp/krb5cc_13535_4nn0mf
>
> You didn't mention which sort of remote filesystem you're concerned
> with, but based on your klist output, you might be using AFS. The AFS
> client maintains a separate cache of AFS tokens, derived from the
> afs/cellname Kerberos ticket. You can typically use the "unlog" command
> to destroy those AFS tokens.
>
> Also, we generally recommend that people use kdestroy to destroy
> Kerberos tickets.
The same is for Kerberized NFS in Linux, the session keys are stored in
the kernel and there is currently no way to revoke them, however once
the session is destroyed the kernel will not be able to recreate it.
Simo,
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos